![securecoding logo](/images/securecoding-logo.png)
Secure Coding mailing list archives
Re: (Shellcode Injection)
From: Crispin Cowan <crispin () immunix com>
Date: Sun, 14 Dec 2003 02:33:00 +0000
ljknews wrote: At 6:08 PM -0800 12/12/03, Crispin Cowan wrote: I'm sorry, but that's wrong. It is entirely possible to avoid shell code injection in type safe languages. Ok, I will admit to never having heard the term "shellcode injection". Google did not help, finding only references, not definitions. Could someone explain in terms that do _not_ assume a Unix or Windows background ? Without discussing Unix or Windows issues, probably not :) But here's an attempt. A common form of attack against Unix and Windows (and in fact many other platforms) is to: 1. Inject malicious code into a victim process's address space. 2. Induce the program to jum to the malicious code. The malicous code often spawns a shell, and so it is called "shellcode". Observations: * The malicous code does not always have to be injected, it can also be in the program's text segment, colloquially known as "return into libc" attack. * Inducing the program to jump to the malicious code can be effected in a variety of ways, including buffer overflows, printf format string attacks, and other type safety violations endemic to the C and C++ languages. I wrote a paper categorizing these attacks and relevant defenses: "Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade". Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole. DARPA Information Survivability Conference and Expo (DISCEX) <http://schafercorp-ballston.com/discex/>, Hilton Head Island SC, January 2000. Also presented as an invited talk at SANS 2000 <http://www.sans.org/sans2000/sans2000.htm>, Orlando FL, March 2000. PDF <http://immunix.com/%7Ecrispin/discex00.pdf>. However, this paper is now 4 years old, so there are new forms of attack (printf format string attacks) and defenses (PaX, W^X, Program Shepperding) that the paper does not cover. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com Immunix 7.3 http://www.immunix.com/shop/
Current thread:
- [SC-L] Jeffrey W. Baker (Dec 12)
- Re: [SC-L] Crispin Cowan (Dec 12)
- Re: (Shellcode Injection) ljknews (Dec 13)
- Re: (Shellcode Injection) Crispin Cowan (Dec 13)
- Re: (Shellcode Injection) ljknews (Dec 14)
- Re: (Shellcode Injection) Crispin Cowan (Dec 14)
- Re: (Shellcode Injection) ljknews (Dec 15)
- Re: (Shellcode Injection) Crispin Cowan (Dec 15)
- Re: (Shellcode Injection) ljknews (Dec 13)
- The right tool for the right job, quit beating on the C language Dana Epp (Dec 14)
- Re: The right tool for the right job, quit beating on the C language ljknews (Dec 14)
- Re: [SC-L] Crispin Cowan (Dec 12)
- Re: (Shellcode Injection) Louis Solomon [SteelBytes] (Dec 15)
- Re: (Shellcode Injection) ljknews (Dec 15)
- Message not available
- Re: (Shellcode Injection) Crispin Cowan (Dec 14)
- <Possible follow-ups>
- RE: [SC-L] Lewis, Todd (Dec 15)